RShell Malware

Chinese cybercriminals have been uncovered to use a weaponized version of a messenger application as a way to deploy a backdoor threat named RShell. The backdoor threat has versions for Linux and macOS systems. Details about the attack operations and the RShell malware were released in reports by security researchers. According to them, RShell is part of the threatening arsenal of the APT (Advanced Persistent Threat) group tracked as APT27, LuckyMouse, IronTiger and Emissary Panda. This particular cybercrime group has been active for over a decade and is primarily focused on cyber-espionage operations.

The hackers used a trojanized version of the 'MìMì' ('mimi' - 秘秘 – 'secret') Electron messaging application that is advertised as available for Android, iOS, Windows and macOS platforms. The researchers uncovered a Linux version, also delivering the RShell malware. When the corrupted macOS MiMi version is activated, it first checks if the environment matches the necessary parameters - macOS (Darwin). Afterward, it will fetch an RShell payload from its Command-and-Control (C2, C&C) server, write it to the temp folder, grant it execution permission and finally execute it. 

Analysis of RShell has revealed that is a backdoor threat equipped with the typical features associated with this malware type. The earliest samples discovered by TrendMicro are from June 2021. RShell is delivered in the Mach-O format on macOS systems and ELF on Linux platforms. When activated on the victim's device, the threat will collect various system information, including computer name, IP address, username, version, etc. All harvested data will be packed into a binary JSON message and transmitted to the C2 server in an unencrypted form over TCP.  The APT threat actors can instruct RShell to execute commands in shell, read files, list the files and directories in the root filesystem, write data to specified files and more.